To be effective, both must see the incident through the eyes of a malware analyst, network analyst, penetration tester, and forensic analyst. At the same time, neither has to become an expert at these skills, there are resources available to help when needed. But a generalist level of knowledge is important, if only to understand what steps need to be taken next.
See the Big Picture
There are many different types of security incidents, Carhart explains, everything from targeted attacks, to malware outbreaks and insider threats.
Each one will have a different business impact on different parts of a victim organization, and an incident responder has a responsibility to understand the big business picture.
"He or she should be generally cognizant of systems and projects that may be targets or of interest to an attacker, and able to know who to contact for further information about them. The incident responder should also be doing enough due diligence to understand the cultural, legal, environmental, and financial differences between our business units and physical locations. This will allow the security team to understand how incidents will impact each one differently and how they will need to be remediated differently," she said.
Keep Control of the Incident
An incident responder leads the coordination of response and remediation, and ensures that the various teams responsible stay on track and on schedule. They're the ones who determine where the investigation leads next.
The incident handler's responsibility will be to schedule regular communication and status updates with all impacted teams. This aspect of the job can require some project and people management skills that many universities don't offer to information security students.
"I'd suggest to anyone struggling with dealing with task scheduling or dealing with senior leadership to take a basic management course. Attending security conferences and meet-ups (especially speaking at conferences), can also help build these skills," Carhart explained.
"Lastly, an incident responder should take pride in his or her work, and responsibility for his or her mistakes. Every incident is different, and every person will eventually make mistakes. The best thing we can do is learn from them and not repeat them."